From 2d05b8db5f293166e39002c5292bb5da1c9ab9ed Mon Sep 17 00:00:00 2001
From: akirilov <akirilov@google.com>
Date: Fri, 27 Apr 2018 15:12:59 -0700
Subject: [PATCH] RESTRICT AUTOMERGE: Fixes two bluetooth causing remote
 overreads (2/2)

Bug: 74075873
Test: manual
Change-Id: I76058b11c90dc40b78f26fb64b74d609f3473f5d
(cherry picked from commit 23918433c1f4970ae04c09a9fe096bf87cd83d76)
---
 stack/sdp/sdp_discovery.c | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/stack/sdp/sdp_discovery.c b/stack/sdp/sdp_discovery.c
index f831fdc6e..b01d8343f 100644
--- a/stack/sdp/sdp_discovery.c
+++ b/stack/sdp/sdp_discovery.c
@@ -353,7 +353,7 @@ static void process_service_search_rsp(tCONN_CB *p_ccb, UINT8 *p_reply,
 #if (SDP_RAW_DATA_INCLUDED == TRUE)
 static void sdp_copy_raw_data (tCONN_CB *p_ccb, BOOLEAN offset)
 {
-    unsigned int    cpy_len;
+    unsigned int    cpy_len, rem_len;
     UINT32          list_len;
     UINT8           *p;
     UINT8           type;
@@ -384,6 +384,11 @@ static void sdp_copy_raw_data (tCONN_CB *p_ccb, BOOLEAN offset)
         {
             cpy_len = list_len;
         }
+        rem_len = SDP_MAX_LIST_BYTE_COUNT - (unsigned int)(p - &p_ccb->rsp_list[0]);
+        if (cpy_len > rem_len) {
+            SDP_TRACE_WARNING("rem_len :%d less than cpy_len:%d", rem_len, cpy_len);
+            cpy_len = rem_len;
+        }
         SDP_TRACE_WARNING(
           "%s: list_len:%d cpy_len:%d p:%p p_ccb:%p p_db:%p raw_size:%d "
           "raw_used:%d raw_data:%p",
-- 
2.11.0